b'      Department of Homeland Security\n\n\n\n            Information Technology Management\n               Letter for FY 2011 Department of\n                 Homeland Security Financial\n                         Statement Audit\n\n\n\n\nOIG-12-81                                         May 2012\n\x0c                                                                                  Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                                     Washington, DC 20528\n\n\n\n\n                                          May 3, 2012\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe Department.\n\nThis report presents the information technology (IT) management letter for the DHS financial\nstatement audit as of September 30, 2011. It contains observations and recommendations related\nto information technology internal control weaknesses that were summarized in the Independent\nAuditors Report dated November 11, 2011, and represents the separate restricted distribution\nreport mentioned in that report. The independent accounting firm KPMG LLP (KPMG)\nperformed the audit of the DHS\xe2\x80\x99 FY 2011 financial statement audit and prepared this IT\nmanagement letter. KPMG is responsible for the attached IT management letter and the\nconclusions expressed in it. We do not express opinions on DHS\xe2\x80\x99 financial statements or\ninternal control or conclusion on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                         Frank Deffer\n                                         Assistant Inspector General\n                                         Office of Information Technology Audits\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\n\nMarch 27, 2012\n\nActing Inspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Department of Homeland Security\n\nChief Financial Officer\nU.S. Department of Homeland Security\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2011 and the related statement of custodial activity for the year\nthen ended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2011 financial statements\xe2\x80\x9d). The objective\nof our audit was to express an opinion on the fair presentation of these financial statements. We\nwere also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nbalance sheet as of September 30, 2011, and statement of custodial activity for the year then ended.\nIn connection with our audit, we also considered DHS\xe2\x80\x99 compliance with certain provisions of\napplicable laws, regulations, contracts, and grant agreements that could have a direct and material\neffect on the FY 2011 financial statements.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. In accordance with Government Auditing\nStandards, our Independent Auditors\xe2\x80\x99 Report, dated November 11, 2011, included internal control\ndeficiencies identified during our audit, that individually, or in aggregate, represented a material\nweakness or a significant deficiency. This letter represents the separate limited distribution report\nmentioned in that report.\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems general Information Technology (IT) controls which we believe contribute\nto a DHS-level significant deficiency that is considered a material weakness in IT controls and\nfinancial system functionality. We also noted that in some cases, financial system functionality is\ninhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications\ncontrols supporting financial data processing and reporting. These matters are described in the\nGeneral IT Control Findings and Recommendations section of this letter.\nAlthough not considered to be a material weakness, we also noted certain other items during our\naudit engagement which we would like to bring to your attention. These matters are also described\nin the General IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the\nappropriate members of management, or communicated through a Notice of Finding and\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cRecommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of\nDHS\xe2\x80\x99 organization gained during our audit engagement to make comments and suggestions that we\nhope will be useful to you. We have not considered internal control since the date of our\nIndependent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems within the scope of the FY 2011 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and\nthe current status of the prior year NFRs in Appendix C. Our comments related to financial\nmanagement and reporting internal controls (comments not related to IT) have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. Office of Management and Budget (OMB), U.S. Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n                INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                      TABLE OF CONTENTS\n\n                                                                                                Page\n\nObjective, Scope and Approach\t                                                                   1\n\n\nSummary of Findings and Recommendation \t                                                         2\n\n\nGeneral IT Control Findings and Recommendation\t                                                  3\n\n\nRelated to IT Controls                                                                           3\n\n\n        Access Controls                                                                          3\n\n\n        Configuration Management                                                                 3\n\n\n        Security Management                                                                      4\n\n\n        Contingency Planning                                                                     4\n\n\n        Segregation of Duties                                                                    4\n\n\nRelated to Financial System Functionality\t                                                       4\n\n\n\n\n\n                                          APPENDICES\n\nAppendix                                         Subject                                        Page\n   A\t      Description of Key Financial Systems within the Scope of the FY 2011 DHS Financial    7\n\n           Statement Audit\n\n\n   B\t      FY 2011 Notices of IT Findings and Recommendations at DHS                             15\n\n               \xef\xbf\xbd   Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings\n                                                                                                 16\n               \xef\xbf\xbd   Notice of Findings by DHS Component                   .\t                      17\n\n\n   C\t      Status of Prior Year Notices of Findings and Recommendations and Comparison to        39\n\n           Current Year Notices of Findings and Recommendations at DHS\n\n\n   D\t      Report Distribution                                                                   46\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n                         OBJECTIVE, SCOPE, AND APPROACH\nDuring our engagement to perform an integrated audit of DHS, we evaluated the design and\neffectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls\nAudit Manual (FISCAM), issued by the GAO, formed the basis of our audit as it relates to IT\ngeneral controls assessments at DHS.\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of\nthe financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the general IT controls environment.\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n   information system resources (software programs and hardware configurations) and provides\n   reasonable assurance that systems are configured and operating securely and as intended.\n\xef\xbf\xbd\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over key financial application\ncontrols in the DHS environment. The technical security testing was performed both over the\nInternet and from within select DHS facilities, and focused on test, development, and production\ndevices that directly support key general support systems.\nIn addition, we performed application control tests on a limited number of DHS\xe2\x80\x99 financial systems\nand applications. The application control testing was performed to assess the input, processing, and\noutput of financial data and transactions that support the financial systems\xe2\x80\x99 internal controls.\nApplication controls are the structure, policies, and procedures that apply to separate, individual\napplication systems, such as accounts payable, inventory, or payroll. Specific results of the\napplication controls test work is provided in a separate Limited Official Use IT Management\nletter provided to component management and the OIG.\nIn recent years, we\xe2\x80\x99ve noted that the DHS\xe2\x80\x99 financial system functionality may be inhibiting the\nagency\xe2\x80\x99s ability to implement and maintain internal controls, notably IT applications controls\nsupporting financial data processing and reporting at some components. At most components, the\nfinancial systems have not been substantially updated since being inherited from legacy agencies\neight years ago. Therefore, in FY 2011, we continued to evaluate and consider the impact of\nfinancial system functionality over financial reporting.\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 1\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n\n                SUMMARY OF FINDINGS AND RECOMMENDATION\nDuring our FY 2011 assessment of IT general and application controls and financial system\nfunctionality, we noted that the DHS made some progress in remediation of IT findings we reported\nin FY 2010. We have closed approximately 30 percent of our prior year IT findings. The\nImmigration and Customs Enforcement (ICE), Federal Emergency Management Agency (FEMA),\nand Federal Law Enforcement Training Center (FLETC) made the most progress in closing IT\nfindings from the prior year. In addition, we issued fewer new findings in FY 2011 compared to the\nnumber of new findings in FY 2010. In FY 2011, we identified approximately 147 findings, of\nwhich approximately 72 percent are repeated from last year. Approximately 44 percent of our\nrepeat findings were for IT deficiencies that management represented were corrected during FY\n2011. The majority of new deficiencies were noted at Customs Border and Protection (CBP).\nThe most significant weaknesses from a financial statement audit perspective include: 1) excessive\nunauthorized access to key DHS financial applications, resources, and facilities; 2) configuration\nmanagement controls that are not fully defined, followed, or effective; 3) security management\ndeficiencies in the area of the certification and accreditation process and an ineffective program to\nenforce role-based security training and compliance; 4) contingency planning that lacked current,\ntested, contingency plans developed to protect DHS resources and financial applications; and 5)\nlack of proper segregation of duties for roles and responsibilities within financial systems.\nThe conditions supporting our findings collectively limited DHS\xe2\x80\x99 ability to ensure that critical\nfinancial and operational data were maintained in such a manner to ensure confidentiality, integrity,\nand availability. In addition, these deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99\nfinancial reporting and its operation and we consider them to collectively represent a material\nweakness for DHS under standards established by the American Institute of Certified Public\nAccountants (AICPA) and the GAO. The IT findings were combined into one material weakness\nregarding IT Controls and Financial Systems Functionality for the FY 2011 audit of the DHS\nconsolidated financial statements.\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 2\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n\n          GENERAL IT CONTROL FINDINGS AND RECOMMENDATION\nIn FY 2011, a number of IT and financial system functionality deficiencies were identified at DHS.\nApproximately 147 findings were identified of which approximately 72 percent are repeated from\nlast year. The primary (circle) bullets listed below each FISCAM heading are a cross-representation\nof the nature of IT general control deficiencies identified throughout the Department\xe2\x80\x99s components.\nThe secondary (dash) bullets represent single or multiple occurrence findings in one or more\ncomponents.\nConditions: Our findings related to general IT controls and financial systems functionality follow:\nRelated to IT controls:\n1.\t Access controls:\n   \xef\xbf\xbd\t Deficiencies in management of application and/or database accounts, network, and remote\n      user accounts.\n       \xef\xbf\xbd\t System administrator root access to financial applications were not properly restricted,\n          logged, and monitored. Emergency and temporary access was not properly authorized,\n          and contractor development personnel were granted conflicting access to implement\n          database changes;\n       \xef\xbf\xbd\t Complex password configurations were not implemented and\\or enforced;\n       \xef\xbf\xbd\t User account lists were not periodically reviewed for appropriateness, improper\n          authorizations and excessive user access privileges were allowed at some DHS\n          components, and users were not disabled or removed promptly upon personnel\n          termination; and\n       \xef\xbf\xbd\t The process for authorizing and managing virtual private network (VPN) access to\n          external state emergency management agencies, and component contractors, did not\n          comply with DHS and component requirements.\n   \xef\xbf\xbd   Ineffective safeguards over logical and physical access to sensitive facilities and resources.\n       \xef\xbf\xbd\t During after-hours physical security walkthroughs, we identified the following\n          unsecured items: Personally Identifiable Information (PII); credit cards; financial\n          system passwords; laptops; sensitive documentation, and server names and IP addresses;\n          and\n       \xef\xbf\xbd\t While performing social engineering testing, we identified instances where DHS\n          employees provided their system user names and passwords to an auditor posing as a\n          help desk employee.\n   \xef\xbf\xbd\t Lack of generation, review, and analysis of system audit logs and adherence to DHS \n\n      requirements. \n\n2.\t Configuration management:\n   \xef\xbf\xbd\t Lack of documented policies and procedures.\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 3\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n       \xef\xbf\xbd\t Financial systems change control documentation was not updated to represent the\n          current operating environment, including sensitive user functions, roles and privileges;\n       \xef\xbf\xbd\t Limited guidance exists to assist in the development of test plans and the completion of\n          functional testing; and\n       \xef\xbf\xbd\t Configuration, vulnerability, and patch management plans have not been established and\n          implemented, or did not comply with DHS policy.\n   \xef\xbf\xbd\t Security patch management and configuration deficiencies were identified during the\n      vulnerability assessment on the platforms supporting the key financial applications and\n      general support systems.\n3.\t Security management:\n   \xef\xbf\xbd\t Systems certification and accreditation were not completed and maintained, or documented.\n       -   Several component financial and associated feeder systems as well as general support\n           systems, were not properly certified and accredited, in compliance with DHS policy;\n       -   Compliance with the Federal Desktop Core Configuration (FDCC) security\n           configurations is in progress, but has not been completed; and\n       -\t System security plans and annual evaluations were not completed and maintained.\n   \xef\xbf\xbd\t IT Security personnel lack mandatory role-based training or compliance is not documented\n      and monitored.\n   \xef\xbf\xbd\t Background investigations of federal employees and contractors employed to operate,\n      manage and provide security over IT systems were not being properly conducted.\n4.\t Contingency Planning:\n   \xef\xbf\xbd\t Service continuity plans were not tested nor updated to reflect the current environment, and\n      an alternate processing site has not been established for high risk systems.\n   \xef\xbf\xbd\t Authorized access to backup media was not periodically reviewed and updated; at one\n      component procedures to periodically test backups was not implemented.\n5.\t Segregation of Duties:\n   \xef\xbf\xbd\t Lack of evidence to show that least privilege and segregation of duties controls exist,\n      including policies and procedures to define conflicting duties and access rights.\nRelated to Financial System Functionality:\nWe noted many cases where financial system functionality is inhibiting DHS\xe2\x80\x99 ability to implement\nand maintain internal controls, notably IT application controls supporting financial data processing\nand reporting. Financial system functionality limitations also contribute to other control\ndeficiencies reported in our Independent Auditors\xe2\x80\x99 Report Exhibits I, II, and III, and compliance\nfindings presented in Exhibit IV dated November 11, 2011. We noted persistent and pervasive\nfinancial system functionality conditions at all of the significant DHS components in the following\ngeneral areas:\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 4\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n    \xef\xbf\xbd\t Lack of integration between the core financial systems and key feeder systems, such as\n       property management systems, leading to errors and inefficiencies in the processing and\n       reporting of financial data.\n    \xef\xbf\xbd\t Inability of financial systems to process, store, and report financial and performance data to\n       facilitate decision making, safeguarding and management of assets, and prepare financial\n       statements that comply with generally accepted accounting principles (GAAP).\n    \xef\xbf\xbd\t Technical configuration limitations, such as outdated systems that are no longer fully\n       supported by the software vendors, impairing DHS\xe2\x80\x99 ability to fully comply with policy in\n       areas such as IT security controls, notably password management, audit logging, user\n       profile changes, and the restricting of access for terminated employees and contractors.\n    \xef\xbf\xbd\t System capability limitations prevent or restrict the use of applications controls to replace\n       less reliable, more costly manual controls. Or in some cases, require additional manual\n       controls to compensate for IT security or control weaknesses.\n    \xef\xbf\xbd\t Inability to routinely query various general ledgers to obtain a complete population of\n       financial transactions, and consequently must create many manual custom queries that delay\n       financial processing and reporting processes.\n    \xef\xbf\xbd\t Limitations in processing overhead cost data and depreciation expenses in support of the\n       property, plant and equipment financial statement line item.\n    \xef\xbf\xbd\t Production versions of financial systems are outdated and do not provide the necessary core\n       functional capabilities (e.g., general ledger capabilities).\n    \xef\xbf\xbd\t Financial systems functionality limitations are preventing one component from establishing\n       automated processes and application controls that would improve accuracy, reliability, and\n       facilitate efficient processing of certain financial data such as:\n       -   Ensuring proper segregation of duties and access rights, such as automating the\n           procurement process to ensure that only individuals who have proper contract authority\n           can approve transactions or setting system access rights within the fixed asset subsidiary\n           ledger;\n       -   Maintaining sufficient data to support Fund Balance with Treasury related transactions,\n           including suspense activity;\n       -   Maintaining adequate posting logic transaction codes to ensure that transactions are\n           recorded in accordance with GAAP; and\n       -   Tracking detailed transactions associated with intra-governmental business and\n           eliminating the need for default codes that cannot be easily researched.\nCause/Effect: Many financial system and IT control weaknesses have resulted from DHS\xe2\x80\x99 long-\nstanding inability to upgrade its financial system capabilities. The Transformation and Systems\nConsolidation (TASC) initiative, postponed during FY 2011, is the latest DHS financial systems\nmodernization effort to be postponed, delayed, or canceled. DHS\xe2\x80\x99 broad and systemic financial\nsystem and IT control limitations will not be fully addressed until DHS and/or the components\nimplement a stable financial system platform. Once a new strategy and plan are developed, it will\nlikely take DHS several years to implement process and system improvements.\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 5\n\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\nThe conditions supporting our findings collectively limit DHS\xe2\x80\x99 ability to process, store, and report\nfinancial data in a manner to ensure accuracy, confidentiality, integrity, and availability. Many of\nthe weaknesses may result in material errors in DHS\xe2\x80\x99 financial data that are not detected in a timely\nmanner through the normal course of business. In addition, because of the presence of IT control\nand financial system functionality weaknesses; there is added pressure on mitigating controls to\noperate effectively. Because mitigating controls are often more manually focused, there is an\nincreased risk of human error that could materially affect the financial statements.\nRecommendation: We recommend that the DHS Office of the Chief Information Officer (OCIO),\nin coordination with the Office of the Chief Financial Officer (OCFO), make necessary\nimprovements to the Department\xe2\x80\x99s financial management systems and supporting IT security\ncontrols.\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 6\n\n\x0c                                                                         Appendix A\n                         Department of Homeland Security\n                     Information Technology Management Letter\n                                September 30, 2011\n\n\n\n\n                                 Appendix A\n\n\nDescription of Key Financial Systems within the Scope of the FY\n             2011 DHS Financial Statement Audit\n\n\n\n\n  Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                         Security\xe2\x80\x99s Financial Statement Audit\n\n                                        Page 7\n\n\x0c                                                                                      Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nBelow is a description of significant financial management systems included in the scope of the\nengagement to perform the financial statement audit.\nUnited States Coast Guard (USCG)\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial\nstatements for the Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s Finance Center (FINCEN) in\nVirginia (VA). The FINCEN is the Coast Guard\xe2\x80\x99s primary data center. CAS interfaces with two\nother systems located at the FINCEN, the Workflow Imaging Network System and the Financial\nand Procurement Desktop.\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows\nusers to enter funding, create purchase requests, issue procurement documents, perform system\nadministration responsibilities, and reconcile weekly program element status reports. FPD is\ninterconnected with the CAS system and is located at the FINCEN in VA.\n\nWorkflow Imaging Network System (WINS)\nWINS is the document image processing system, which is integrated with an Oracle\nDeveloper/2000 relational database. WINS allows electronic data and scanned paper documents to\nbe imaged and processed for data verification, reconciliation and payment. WINS utilizes\nMarkView software to scan documents and to view the images of scanned documents and to render\nimages of electronic data received. WINS is interconnected with the CAS and FPD systems and is\nlocated at the FINCEN in VA.\n\nJoint Uniform Military Pay System (JUMPS)\n\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is\nlocated at the Pay and Personnel Center (PPC) in Kansas (KS).\n\nDirect Access\nDirect Access is the system of record and all functionality, data entry, and processing of payroll\nevents is conducted exclusively in Direct Access. Direct Access is maintained by IBM Application\nOn Demand (IBM AOD) in the iStructure data center facility in Arizona (AZ) with a hot site\nlocated in a Qwest data center in VA.\n\nGlobal Pay (Direct Access II)\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD\nin the iStructure data center facility in AZ with a hot site located in a Qwest data center in VA.\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 8\n\n\x0c                                                                                      Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nShore Asset Management (SAM)\nSAM is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC) in West Virginia (WV). SAM\nprovides core information about the USCG shore facility assets and facility engineering. The\napplication tracks activities and assists in the management of the Civil Engineering (CE) Program\nand the Facility Engineering (FE) Program. SAM data contributes to the shore facility assets full\nlife cycle Program management, facility engineering full life cycle Program management and\nrationale to adjust the USCG mission needs through planning, budgeting, and project funding.\nSAM also provides real property inventory and management of all shore facilities, in addition to the\nability to manage and track the facilities engineering equipment and maintenance of that equipment.\n\nNaval and Electronics Supply Support System (NESSS)\nNESSS is one of four automated information systems that comprise the family of Coast Guard\nlogistics systems. NESSS is a fully integrated system linking the functions of provisioning and\ncataloging, unit configuration, supply and inventory control, procurement, depot-level maintenance\nand property accountability, and a full financial ledger.\n\nAviation Logistics Management Information System (ALMIS)\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning,\nAircraft & Crew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance\nManagement Information System (AMMIS), a subcomponent of ALMIS, functions as the inventory\nmanagement/fiscal accounting component of the ALMIS application. The Aircraft Repair &\nSupply Center Information Systems Division in North Carolina (NC) hosts the ALMIS application.\n\nCG Treasury Information Executive Repository (CG Tier)\nCG TIER is a financial data warehouse containing summarized and consolidated financial data\nrelating USCG operations. It is one of several supporting applications within CAS Suite designed\nto support the core financial services provided by FINCEN. CG TIER provides monthly\nsubmissions to DHS Consolidated TIER.\n\nCustoms and Border Protection (CBP)\nSAP Enterprise Central Component (SAP ECC 6.0)\nSAP is a client/server-based financial management system and includes the Funds Management,\nBudget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and\nDistribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by\nCBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g.,\naccounting and commercial operations: trade, tariff, and law enforcement), and to provide\ninformation for strategic decision making. The SAP ECC 6.0 system is located in VA.\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 9\n\n\x0c                                                                                        Appendix A\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\nAutomated Commercial System (ACS)\nACS is a collection of mainframe-based business process systems used to track, control, and\nprocess commercial goods and conveyances entering the United States territory, for the purpose of\ncollecting import duties, fees, and taxes owed the Federal government. ACS collects duties at ports,\ncollaborates with financial institutions to process duty and tax payments, provides automated duty\nfiling for trade clients, and shares information with the Federal Trade Commission on trade\nviolations and illegal imports. The ACS system is located in VA.\n\nAutomated Commercial Environment (ACE)\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. It is CBP\xe2\x80\x99s plan that the ACE replace ACS when ACE is fully\nimplemented. The mission of ACE is to implement a secure, integrated, government-wide system\nfor the electronic collection, use, and dissemination of international trade and transportation data\nessential to federal agencies. ACE is being deployed in phases, with no set final full deployment\ndate due to funding setbacks. The ACE system is located in VA.\n\nFederal Law Enforcement and Training Center (FLETC)\nFinancial Accounting and Budgeting System (FABS)\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the\ncomputerized accounting and budgeting system for FLETC. The FABS system exists to provide all\nof the financial and budgeting transactions in which FLETC is involved. An application called\n\xe2\x80\x9cTuxedo,\xe2\x80\x9d also resides on a separate server. The Tuxedo middleware holds 67 executable files.\nThese files are scripts that process daily information and are not directly accessible by users. The\nFABS application and servers reside on the FLETC LAN in a Hybrid physical network topology\nand are accessible from four sites: Georgia, Washington D.C., New Mexico, and Maryland.\n\nGlynco Administrative Network\nThe purpose of the Glynco Administrative Network (GAN) is to provide access to IT network\napplications and services to include voice to authorized FLETC personnel, contractors and partner\norganizations located at the Georgia facility. It provides authorized users access to email, internet\nservices, required applications such as Financial Management Systems (FMS), Procurement\nsystems, Property management systems, Video conference, and other network services and shared\nresources. The GAN is located in GA.\n\nFederal Emergency Management Agency (FEMA)\nIFMIS-Merger\nIFMIS-Merger is the official accounting system of FEMA and maintains all financial data for\ninternal and external reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost\nPosting, Disbursements, Accounts Receivable, and General Ledger. The application is a\nCommercial Off-The Shelf (COTS) software package developed and maintained by Digital Systems\nGroup Incorporated (DSG). IFMIS-Merger interfaces with Payment and Reporting System\n(PARS), ProTrac, Smartlink (Department of Health and Human Services), Treasury Information\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 10\n\n\x0c                                                                                      Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nExecutive Repository (TIER) (Department of the Treasury), Secure Payment System (SPS)\n(Department of the Treasury), Grants Management System (Department of Justice), National\nEmergency Management Information System (NEMIS), US Coast Guard Credit Card System,\nCredit Card Transaction Management System (CCTMS), Fire Grants, eGrants, Enterprise Data\nWarehouse (EDW), and Payroll (Department of Agriculture National Finance Center). IFMIS-\nMerger is located in VA.\nPayment and Reporting System (PARS)\nThe PARS is a standalone web-based application. The database resides on the IFMIS-Merger\nUNIX server and is incorporated within the Certification & Accreditation (C&A) boundary for that\nsystem. Through its web interface, PARS collects Standard Form 425 information from grantees\nand stores the information in its Oracle 9i database. Automated chronological jobs are run daily to\nupdate and interface grant and obligation information between PARS and IFMIS-Merger. All\npayments to grantees are made through IFMIS-Merger. PARS interfaces with IFMIS-Merger and is\nlocated in VA.\n\nNational Emergency Management Information System (NEMIS)\nNEMIS is a FEMA-wide General Support System (GSS) integrating hardware, software,\ntelecommunications infrastructure, and Web-based and client-server services and applications.\nNEMIS consists of many integrated subsystems distributed over hundreds of separate servers\naccessed by thousands of client workstations.\nNEMIS is an integrated system to provide FEMA, the states, and other Federal agencies with\nfunctionality and automation to perform disaster related operations. The subsystems and\napplications incorporated within NEMIS support all phases of emergency management and provide\nfinancial related data to IFMIS via automated interfaces. NEMIS interfaces with IFMIS, US Coast\nGuard Credit Card System, and the Small Business Administration. The production environment\nfor NEMIS is geographically distributed nationwide but is principally administered and managed in\nVA.\n\nTraverse\nTraverse is the general ledger application currently used by the National Flood Insurance Program\n(NFIP) Bureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-\nserver application that runs on the NFIP Local Area Network (LAN) Windows server environment\nin Maryland. The Traverse client is installed on the desktop computers of the NFIP Bureau of\nFinancial Statistical Control group members.\n\nTransaction Recording and Reporting Processing (TRRP)\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own\n(WYO) companies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the\nWYO program, primarily by ensuring the quality of financial data submitted by the WYO\ncompanies and DSA to TRRP. TRRP is a mainframe-based application that runs on the NFIP\nmainframe logical partition in Connecticut.\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 11\n\n\x0c                                                                                     Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n\nImmigration and Customs Enforcement (ICE)\nFederal Financial Management System (FFMS)\nThe FFMS is a CFO designated financial system and certified software application that conforms to\nOMB Circular A-127 and implements the use of a Standard General Ledger for the accounting of\nagency financial transactions. It is used to create and maintain a record of each allocation,\ncommitment, obligation, travel advance and accounts receivable issued. It is the system of record\nfor the agency and supports all internal and external reporting requirements. FFMS is a commercial\noff-the-shelf financial reporting system. It includes the core system used by accountants, FFMS\nDesktop that is used by average users, and a National Finance Center (NFC) payroll interface. The\nFFMS mainframe component and two network servers are hosted at the DHS DC2 facility located\nin VA. FFMS currently interfaces with the following systems:\n\xef\xbf\xbd\t Direct Connect for transmission of DHS payments to Treasury\n\xef\xbf\xbd\t Fed Travel\n\xef\xbf\xbd\t The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data\n   Inquiry (CADI), for the purpose of processing NFC user account and payroll information.\n\xef\xbf\xbd\t The Debt Collection System (DCOS)\n\xef\xbf\xbd\t Bond Management Information System (BMIS) Web\n\nICE Network\nThe ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a\nmajor application for ICE and other DHS components, such as the USCIS. The ADEX servers and\ninfrastructure for the headquarters and National Capital Area are located in Washington, DC.\nADEX currently interfaces with the Diplomatic Telecommunications Service Program Office\nICENet Infrastructure.\n\nOffice of Financial Management (OFM)/Consolidated Component\nDHS Treasury Information Executive Repository (DHSTIER)\nDHSTIER is the system of record for the DHS consolidated financial statements and is used to\ntrack, process, and perform validation and edit checks against monthly financial data uploaded from\neach of the DHS bureaus\xe2\x80\x99 core financial management systems. DHSTIER is administered jointly\nby the OCFO Resource Management Transformation Office (RMTO) and the OCFO Office of\nFinancial Management (OFM) and is hosted on the DHS OneNet at the Stennis Data Center in\nMississippi (MS).\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 12\n\n\x0c                                                                                       Appendix A\n                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n\nChief Financial Office VISION (CFO Vision)\nCFO Vision is a subsystem of DHSTIER used for the consolidation of the financial data and the\npreparation of the DHS financial statements. CFO Vision is also administered by RMTO and OFM\nand is hosted on the DHS OneNet at the Stennis Data Center in MS.\n\nTransportation Security Administration (TSA)\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial\nstatements for the United States Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in VA\nand is managed by the United States Coast Guard. The FINCEN is the Coast Guard\xe2\x80\x99s primary\nfinancial system data center. CAS interfaces with other systems located at the FINCEN, including\nFinancial and Procurement Desktop.\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows\nusers to enter funding, create purchase requests, issue procurement documents, perform system\nadministration responsibilities, and reconcile weekly program element status reports. FPD is\ninterconnected with the CAS system and is hosted at the FINCEN in VA and is and managed by the\nUnited States Coast Guard.\n\nSunflower\nSunflower is a customized third party COTS product used for TSA and Federal Air Marshals\nproperty management. Sunflower interacts directly with the Office of Finance Fixed Assets module\nin CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the FINCEN\nin VA and is managed by the United States Coast Guard.\n\nMarkView\nMarkView is imaging and workflow software used to manage invoices in CAS. Each invoice is\nstored electronically and associated to a business transaction so that users are able to see the image\nof the invoice. MarkView is interconnected with the CAS system and is located at the FINCEN in\nVA and is managed by the United States Coast Guard.\n\nUnited States Citizenship and Immigration Services (USCIS)\nCLAIMS 3 Local Area Network (LAN)\nCLAIMS3 LAN provides USCIS with a decentralized, geographically dispersed LAN based\nmission support case management system, with participation in the centralized CLAIMS 3\nMainframe data repository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I\nand II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The\nCLAIMS 3 LAN is located at the following service centers and district offices: Nebraska,\nCalifornia, Texas, Vermont, Baltimore District Office, and Administrative Appeals Office.\nCLAIMS 3 LAN interfaces with the following systems:\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 13\n\n\x0c                                                                                     Appendix A\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n\xef\xbf\xbd   Citizenship and Immigration Services Centralized Oracle Repository (CISCOR)\n\xef\xbf\xbd   CLAIMS 3 Mainframe\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   CLAIMS 4\n\xef\xbf\xbd   E-filing\n\xef\xbf\xbd   Benefits Biometric Support System (BBSS)\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\n\nCLAIMS 4\nThe purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a\nclient/server application. The central Oracle Database is located in Washington, DC while\napplication servers and client components are located throughout USCIS service centers and district\noffices. CLAIMS 4 interfaces with the following systems:\n\xef\xbf\xbd   Central Index System (CIS)\n\xef\xbf\xbd   Reengineered Naturalization Automated Casework System (RNACS)\n\xef\xbf\xbd   CLAIMS 3 LAN and Mainframe\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   Enterprise Performance Analysis System (ePAS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Asylum Pre-Screening System (APSS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\n\xef\xbf\xbd   Biometrics Benefits Support System (BBSS)\n\xef\xbf\xbd   Enterprise Citizenship and Immigration Service Centralized Operational Repository (eCISOR)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   FD 258 Enterprise Edition and Mainframe\n\xef\xbf\xbd   Site Profile System (SPS)\n\n\n\n\n    Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                           Security\xe2\x80\x99s Financial Statement Audit\n\n                                          Page 14\n\n\x0c                                                                        Appendix B\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2011\n\n\n\n\n                                 Appendix B\n\nFY 2011 Notices of IT Findings and Recommendations at DHS\n\n\n\n\n\n Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                        Security\xe2\x80\x99s Financial Statement Audit\n\n                                       Page 15\n\n\x0c                                                                                       Appendix B\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2011\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe Department of Homeland Security (DHS) Consolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial\n      2 \xe2\x80\x93 Less significant\n      3 \xe2\x80\x93 More significant\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective\naction plans for remediation of the deficiency.\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland \n\n                          Security\xe2\x80\x99s Financial Statement Audit\n\n                                         Page 16\n\n\x0c                                                                       Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2011\n\n\n\n\n            Department of Homeland Security\n\n    FY2011 Information Technology - Notice of Findings\n\n\n                    \xef\xbf\xbd United States Coast Guard\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland \n\n                       Security\xe2\x80\x99s Financial Statement Audit\n\n                                      Page 17\n\n\x0c                                                                                                                                 Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\nFY 2011 NFR #                             NFR Title                              FISCAM Control Area       Severity Rating   New Issue   Repeat Issue\n CG-IT-11-01    Security Awareness Issues Associated with Physical Protection       Access Controls               2                          X\n                of Sensitive Information\n CG-IT-11-02    Direct Access and Direct Access II User and System                  Access Controls              1              X\n                Administrator Account Management and Approval\n CG-IT-11-03    Coast Guard Treasury Information Executive Repository (CG           Access Controls              1                            X\n                TIER) resource owners\xe2\x80\x99 identification of authorized users\n CG-IT-11-04    Weaknesses Related to Information Assurance (IA)                  Security Management            1                            X\n                Professionals\xe2\x80\x99 Required Certifications\n CG-IT-11-05    Configuration Management Controls over the Scripting Process    Configuration Management         3                            X\n CG-IT-11-06    Civilian Background Investigations                                Security Management            2                            X\n CG-IT-11-07    Contractor Background Investigations                              Security Management            2                            X\n CG-IT-11-08    Security Awareness Issues Associated with the Social                Access Controls              2                            X\n                Engineering Testing\n CG-IT-11-09    Operations Systems Center (OSC) Data Center Visitor Access          Access Controls              1              X\n                Logs\n CG-IT-11-10    Direct Access and Direct Access II Audit Logging and General        Access Controls              2                            X\n                IT Control Validation\n CG-IT-11-11    Aviation Maintenance Management Information System              Configuration Management         1                            X\n                (AMMIS) Software Change Requests Process\n CG-IT-11-12    Shore Asset Management (SAM) and Naval and Electronics            Segregation of Duties          1                            X\n                Supply Support System (NESSS) Audit Log Review\n CG-IT-11-13    Direct Access System User Account Recertification                   Access Controls              2                            X\n CG-IT-11-14    NESSS Access Authorizations                                         Access Controls              2                            X\n CG-IT-11-15    Lack of Consistent Contractor, Civilian, and Military Account     Security Management            2                            X\n                Termination Notification Process for Coast Guard Systems\n CG-IT-11-16    Naval & Electronics Supply Support System Users Who Have            Access Controls              2                            X\n                Admin Capabilities\n CG-IT-11-17    Aviation Logistics Management Information System (ALMIS)            Access Controls              2                            X\n\n                 Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                       Page 18\n\x0c                                                                                                                        Appendix B\n                                                               Department of Homeland Security\n                                                           Information Technology Management Letter\n                                                                      September 30, 2011\n\n              User Recertification\nCG-IT-11-18   Non-Compliance with Federal Financial Management                 Security Management      3                             X\n              Improvement Act (FFMIA) \xe2\x80\x93 Information Technology\nCG-IT-11-19   Weaknesses Associated with the Coast Guard Security Incident     Security Management      1              X\n              Database and Ticket System\nCG-IT-11-20   Access and Configuration Management Controls \xe2\x80\x93 Vulnerability   Configuration Management   2              X\n              Assessment\nCG-IT-11-21   Naval and Electronics Supply Support System User Account           Access Controls        2              X\n              Recertification\n\n\n\n\n               Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                     Page 19\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings \n\n\n                 \xef\xbf\xbd Customs and Border Protection (CBP)\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 20\n\n\x0c                                                                                                                                 Appendix B\n                                                                 Department of Homeland Security\n                                                             Information Technology Management Letter\n                                                                        September 30, 2011\n\n\n\n\nFY 2011 NFR #                            NFR Title                             FISCAM Control Area      Severity Rating   New Issue    Repeat\n                                                                                                                                        Issue\n CBP-IT-11-01   Security Awareness Issued Identified During Enhanced              Access Controls             2                           X\n                Security Testing\nCBP-IT-11-02    Physical Security Issues Identified during Enhanced Security      Access Controls             2                          X\n                Testing\nCBP-IT-11-03    Inadequate Role-based Security Training Program                 Entity Level Controls         2                          X\nCBP-IT-11-04    Segregation of Duties Control Weaknesses within the CBP           Access Controls             2                          X\n                System\nCBP-IT-11-05    CBP System User Profile Change Logs are not Reviewed              Access Controls             2                          X\nCBP-IT-11-07    Lack of Monitoring of Developer Emergency/Temporary               Access Controls             2                          X\n                Access to a CBP System Production\nCBP-IT-11-08    CBP System Novell Server Audit Logs Review Weaknesses             Access Controls             2              X\nCBP-IT-11-09    CBP System Contingency Plan has not been Updated                Computer Operations           1              X\nCBP-IT-11-10    Lack of Update to CBP System Security Plan                      Entity Level Controls         2              X\nCBP-IT-11-11    Incomplete Background Investigations and Reinvestigations       Entity Level Controls         2                          X\n                for CBP Employees and Contractors\nCBP-IT-11-12    Contractor Separation Procedures are not Updated and            Entity Level Controls         2                          X\n                Contractor Separation Forms are not Maintained\nCBP-IT-11-13    Inadequate Documentation of CBP System Access Change              Access Controls             2                          X\n                Requests\n\nCBP-IT-11-14    CBP Systems User Profile Change Logs are not Reviewed             Access Controls             2              X\nCBP-IT-11-15    Incomplete Access Request Forms and Approvals for New             Access Controls             2                          X\n                CBP System Accounts\nCBP-IT-11-16    Lack of Annual Recertification of CBP System Users                Access Controls             2              X\nCBP-IT-11-17    Incomplete Access Request Approval Forms for new Remote           Access Controls             2              X\n                Access User Accounts\n\n                Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                      Page 21\n\x0c                                                                                                                         Appendix B\n                                                                    Department of Homeland Security\n                                                                Information Technology Management Letter\n                                                                           September 30, 2011\n\nCBP-IT-11-18    Incomplete Documentation of Interconnection Security              Access Controls          2                       X\n                Agreements (ISA) for ACS Participating Government\n                Agencies (PGA) Connections\n\nCBP-IT-11-19    Contractor Non-Disclosure Agreements are Incomplete             Entity Level Controls      2                       X\nCBP-IT-11-20    Weaknesses over the Employee Separation Process                 Entity Level Controls      2                       X\nCBP-IT-11-21    CBP System Audit Logs Not Appropriately Reviewed                  Access Controls          2         X\nCBP-IT-11-22    Lack of Access Requests and Approvals for CBP System              Access Controls          2                       X\n                Accounts\nCBP-IT-11-23    Lack of Update to CBP System Security Test & Evaluation         Entity Level Controls      2         X\n                (ST&E)\nCBP-IT-11-24    CBP System Configuration Management Policies and                  Program Changes          2         X\n                Procedures Not Formally Documented\nCBP-IT-11-25    Weaknesses in Allowed Network Authenticators                      Access Controls          2         X\nCBP-IT-11-26    CBP System Audit Logs Not Appropriately Reviewed                  Access Controls          2                       X\nCBP-IT-11-27    Security Weaknesses Identified during the Technical               Access Controls          2                       X\n                Vulnerability Assessment\nCBP-IT-11-28    Installation of Virus Protections on CBP Workstations             Access Controls          2                       X\nCBP-IT-11-30    Separated Personnel on CBP System User Listing                    Access Controls          2         X\nCBP-IT-11-31    Lack of Functionality in a CBP System                           Security Management        2                       X\nCBP-IT-11-32    Separated Personnel on CBP System User Listing                    Access Controls          2         X\nCBP-IT-11-33    Lack of Update to CBP System ST&E                               Entity Level Controls      2         X\nCBP-IT-11-34    Lack of Update to CBP System ST&E                               Entity Level Controls      2         X\nCBP-IT-11-35    Access to Media Recertification is Incomplete                     Access Controls          1                       X\nCBP-IT-11-36    Lack of Annual Recertification of CBP System Users                Access Controls          2         X\nCBP-IT-11-37    CBP System Privileged User Access Weaknesses                      Access Controls          2         X\n                CBP System Segregation of Duties over the Production\nCBP-IT-11-38                                                                  Configuration Management     2         X\n                Environment\n               Note: NFR numbers CBP-IT-11-06 and CBP-IT-11-29 were not used during FY2011\n\n\n                Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                      Page 22\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings\n\n\n               \xef\xbf\xbd Federal Emergency Management Agency\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 23\n\n\x0c                                                                                                                                  Appendix B\n                                                                   Department of Homeland Security\n                                                               Information Technology Management Letter\n                                                                          September 30, 2011\n\nFY 2011 NFR #                              NFR Title                             FISCAM Control Area       Severity Rating   New Issue   Repeat Issue\nFEMA-IT-11-01   Alternate Processing Site for the National Emergency              Contingency Planning            3                          X\n                Management Information System (NEMIS) Has Not Been\n                Established\nFEMA-IT-11-02   Weaknesses Exist in the Certification & Accreditation (C&A)       Security Management            3                             X\n                Package for the FEMA Switched Network (FSN)-2, which\n                Includes the FEMA Local Area Network (LAN)\nFEMA-IT-11-03   Weaknesses Exist over the Authorization to Operate (ATO) and      Security Management            3                             X\n                C&A Documentation for NEMIS\nFEMA-IT-11-04   NEMIS Contingency Plan Does Not Comprehensively Address           Contingency Planning           3                             X\n                the Requirements of DHS Policy and Has Not Been Adequately\n                Tested\nFEMA-IT-11-05   Formalized Training Requirements for Individuals with             Security Management            2                             X\n                Significant Information Security Responsibilities Have Not\n                Been Fully Implemented and Role-Based Training is Not\n                Tracked or Monitored\nFEMA-IT-11-06   Documentation Supporting Integrated Financial Management        Configuration Management         2                             X\n                Information System (IFMIS)-Merger User Functions Does Not\n                Exist\nFEMA-IT-11-07   Oracle Databases Supporting Financial Applications within the       Access Controls              2                             X\n                Previous NEMIS Accreditation Boundary are Not Configured to\n                Enforce Password Requirements\nFEMA-IT-11-08   Oracle Databases Supporting Financial Applications within the       Access Controls              3                             X\n                Previous NEMIS Accreditation Boundary Do Not Adequately\n                Enforce Account Lockout Requirements\nFEMA-IT-11-09   Operating System Audit Logging on Servers Supporting                Access Controls              3                             X\n                Financial Applications within the Previous NEMIS\n                Accreditation Boundary is Not Adequate\nFEMA-IT-11-10   Weaknesses Existed over Contingency Planning, Testing and         Contingency Planning           1                             X\n                Development of the Continuity of Operations Plan for the\n                Transaction Record Reporting and Processing Application\n                (TRRP) and Traverse\nFEMA-IT-11-11   Recertification of NEMIS Access Control System Position             Access Controls              1                             X\n                  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                        Page 24\n\x0c                                                                                                                             Appendix B\n                                                                   Department of Homeland Security\n                                                               Information Technology Management Letter\n                                                                          September 30, 2011\n\n                Assignments is Incomplete\nFEMA-IT-11-12   Audit Logging on Databases Supporting Financial Applications        Access Controls        3                              X\n                within the Previous NEMIS Accreditation Boundary is Not\n                Adequate\nFEMA-IT-11-13   Weaknesses Exist over Vulnerability Management for Servers      Configuration Management   2                              X\n                Supporting Financial Applications within the Previous NEMIS\n                Accreditation Boundary\nFEMA-IT-11-14   National Flood Insurance Program (NFIP) Physical Access             Access Controls        2             X\n                Policies and Procedures were Not Appropriately Documented\n                and Implemented\nFEMA-IT-11-15   NFIP LAN and Traverse Account Security Configuration Is Not         Access Controls        1             X\n                in Compliance with DHS Policy\nFEMA-IT-11-16   TRRP Logical Access was Not Appropriately Authorized                Access Controls        2             X\nFEMA-IT-11-17   Weaknesses Exist over Configuration and Operating                   Access Controls        2             X\n                Effectiveness of Traverse Audit Logs\nFEMA-IT-11-18   Monitoring of Configuration Changes Deployed to the IFMIS-      Configuration Management   3                              X\n                Merger Production Environment are Inadequate\nFEMA-IT-11-19   Weaknesses Exist over Configuration Management Processes        Configuration Management   3                              X\n                for Financial Applications within the Previous NEMIS\n                Accreditation Boundary\nFEMA-IT-11-20   Weaknesses Exist over IFMIS-Merger Configuration                Configuration Management   3                              X\n                Management Processes\nFEMA-IT-11-21   Weaknesses Exist over Recertification of Access to the IFMIS-       Access Controls        3                              X\n                Merger Application\nFEMA-IT-11-22   Weaknesses Exist over TRRP Mainframe Audit Logs                     Access Controls        2                              X\nFEMA-IT-11-23   Emergency and Temporary Access to IFMIS-Merger is Not               Access Controls        2                              X\n                Properly Authorized\nFEMA-IT-11-24   Weaknesses Exist over IFMIS-Merger Application and Database         Access Controls        3                              X\n                Audit Logging\nFEMA-IT-11-25   IFMIS-Merger User Access was Not Managed in Accordance              Access Controls        1                              X\n                with Account Management Procedures\nFEMA-IT-11-26   Payment and Reporting System (PARS) Database Security               Access Controls        2                              X\n                  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                        Page 25\n\x0c                                                                                                                             Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\n                Controls Are Not Appropriately Established\nFEMA-IT-11-27   NFIP LAN Audit Logging is Not Performed in Accordance with        Access Controls        1                                X\n                DHS and FEMA Requirements\nFEMA-IT-11-28   Individual User Virtual Private Network (VPN) Access              Access Controls        3                                X\n                Accounts are Not Appropriately Authorized or Recertified\nFEMA-IT-11-29   External Connections to the FEMA VPN Are Not Appropriately        Access Controls        3                                X\n                Authorized or Documented\nFEMA-IT-11-30   IFMIS-Merger System Software Administrator Activity Is Not        Access Controls        3                                X\n                Appropriately Restricted or Monitored\nFEMA-IT-11-31   Weaknesses Exist over C&A Documentation for IFMIS-Merger        Security Management      3                                X\nFEMA-IT-11-32   Risk Assessment Activities over NFIP IT Systems were Not        Security Management      2                                X\n                Adequately Performed\nFEMA-IT-11-33   Weaknesses Exist over Management and Technical Controls           Access Controls        1                                X\n                Associated with FEMA LAN Accounts\nFEMA-IT-11-34   Employee Termination Process for Removing System Access           Access Controls        3                                X\n                Should Be More Proactive\nFEMA-IT-11-35   Traverse Configuration Management Plan Weaknesses             Configuration Management   2                                X\nFEMA-IT-11-36   TRRP Configuration Management Plan Weaknesses                 Configuration Management   2                                X\nFEMA-IT-11-37   Documentation Supporting TRRP Test Libraries Does Not         Configuration Management   1               X\n                Reflect Current Environment\nFEMA-IT-11-38   Federal Insurance and Mitigation Administration (FIMA)        Configuration Management   2               X\n                Configuration Management Program has Not Been Developed\nFEMA-IT-11-39   Weaknesses Exist over Background Investigations for Federal     Security Management      2                                X\n                Employees and Contractors\nFEMA-IT-11-40   Weaknesses in the Management of Plans of Action &               Security Management      3                                X\n                Milestones (POA&Ms) for Audit Findings over FEMA\n                Financial Systems\nFEMA-IT-11-41   Physical Security and Security Awareness Issues Associated        Access Controls        2                                X\n                with Enhanced Security Testing at FEMA\nFEMA-IT-11-42   Traverse Accounts Were Not Appropriately Recertified              Access Controls        2               X\nFEMA-IT-11-43   Lack of Adequate Configuration Management over Network        Configuration Management   2                                X\n\n                  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                        Page 26\n\x0c                                                                                                                             Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\n                Devices Supporting Financial Systems\nFEMA-IT-11-44   Password, Patch, and Configuration Management Weaknesses        Configuration Management   3             X\n                Were Identified during the Vulnerability Assessment on IFMIS,\n                NEMIS, and Key Support Servers\nFEMA-IT-11-45   Vulnerability Assessment Program for the NFIP LAN               Configuration Management   1                              X\n                Supporting Traverse was Inadequate\nFEMA-IT-11-46   Weaknesses Existed over the Configuration Patch Management      Configuration Management   1                              X\n                Process for the NFIP LAN Supporting Traverse\nFEMA-IT-11-47   Weaknesses Exist over the Configuration and Testing of            Contingency Planning     3                              X\n                Backups for Servers Supporting Financial Applications Within\n                the Previous NEMIS Accreditation Boundary\nFEMA-IT-11-48   Key Controls over Production Servers Supporting Applications    Configuration Management   3                              X\n                Within the Former NEMIS Accreditation Boundary Have Not\n                Been Implemented\n\n\n\n\n                  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                        Page 27\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings\n\n\n              \xef\xbf\xbd Federal Law Enforcement Training Center\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 28\n\n\x0c                                                                                                                                    Appendix B\n                                                                    Department of Homeland Security\n                                                                Information Technology Management Letter\n                                                                           September 30, 2011\n\n\n\n\nFY 2011 NFR #                               NFR Title                           FISCAM Control Area        Severity Rating   New Issue    Repeat Issue\nFLETC-IT-11-01   Ineffective Logical Access Controls over Student Information      Access Controls                2                           X\n                 System\nFLETC-IT-11-02   Ineffective Segregation of Duties Controls for the Momentum     Segregation of Duties           2              X\n                 System\n\n\n\n\n                   Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                         Page 29\n\x0c                                                                                  Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings \n\n\n                \xef\xbf\xbd Immigration and Customs Enforcement\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 30\n\n\x0c                                                                                                                                  Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\n\n\n 2011 NFR #                           NFR Title                                 FISCAM Control Area      Severity Rating   New Issue    Repeat Issue\nICE-IT-11-01   ADEX Resource Servers and Workstations have Inadequate              Access Controls              3             X\n               Patch Management\nICE-IT-11-02   Terminated/Transferred Personnel are not Removed from               Access Controls             2                               X\n               ADEX in a Timely Manner\nICE-IT-11-03   Access Recertification Review is not Completed for FFMS.            Access Controls             2              X\nICE-IT-11-04   Weak FFMS Segregation of Duties                                     Access Controls             2                               X\nICE-IT-11-05   Security Awareness Issues were Identified during Social           Security Management           3                               X\n               Engineering\nICE-IT-11-06   FFMS Network and Servers were Installed with Default                Access Controls             3                               X\n               Configuration Settings and Protocols\nICE-IT-11-07   FFMS Mainframe Production Databases were Installed and              Access Controls             3                               X\n               Configured without Baseline Security Configurations\nICE-IT-11-08   FFMS Servers have Inadequate Patch Management                       Access Controls             3                               X\nICE-IT-11-09   Default Installation and Configuration of Cisco Routers on ICE      Access Controls             3                               X\n               Network\nICE-IT-11-10   Security Awareness Issues Identified During After-Hours           Security Management           3                               X\n               Walkthrough\nICE-IT-11-11   Lack of Procedures for Transferred/Terminated Personnel Exit      Security Management           2                               X\n               Processing\n\n\n\n\n                 Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                       Page 31\n\x0c                                                                                  Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings\n\n\n                     \xef\xbf\xbd Office of Financial Management\n                    \xef\xbf\xbd Office of Chief Information Officer\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 32\n\n\x0c                                                                                                                                  Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\n\n\n\n 2011 NFR #                             NFR Title                             FISCAM Control Area        Severity Rating   New Issue    Repeat Issue\nCONS-IT-11-01   Network Logical Access Parameters are not Configured in          Access Controls                1                           X\n                Accordance with DHS Policy\nCONS-IT-11-02   Security Awareness Issues Identified During After-Hours        Security Management             2              X\n                Walkthrough\nOCIO-IT-11-01   DHS has not Fully Implemented the Federal Desktop Core         Security Management             1                               X\n                Configuration (FDCC) Security Configurations Requirements\nOCIO-IT-11-02   DHS Physical Controls could be Strengthened                      Access Controls               2              X\n\n\n\n\n                  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                        Page 33\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                 Department of Homeland Security\n\n         FY2011 Information Technology - Notice of Findings \n\n\n                \xef\xbf\xbd Transportation Security Administration\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 34\n\n\x0c                                                                                                                                  Appendix B\n                                                                  Department of Homeland Security\n                                                              Information Technology Management Letter\n                                                                         September 30, 2011\n\n\n\n\n 2011 NFR #                            NFR Title                              FISCAM Control Area        Severity Rating   New Issue    Repeat Issue\nTSA-IT-11-01   Markview \xe2\x80\x93 Password Settings                                      Access Controls                2             X\nTSA-IT-11-02   Markview \xe2\x80\x93 Administrator Account                                  Access Controls               2              X\nTSA-IT-11-03   Physical Security and Security Awareness Issues Identified        Access Controls               1                               X\n               during Enhanced Security Testing\nTSA-IT-11-04   TSA Computer Access Agreement Process                             Access Controls               1                               X\nTSA-IT-11-05   Sunflower and Markview User Account Recertifications              Access Controls               2                               X\nTSA-IT-11-06   Configuration Management Controls Over the Coast Guard        Configuration Management          2                               X\n               Scripting Process\n\n\n\n\n                 Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                       Page 35\n\x0c                                                                                 Appendix B\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                      Department of Homeland Security\n\n                       FY2011 Information Technology\n\n                             Notice of Findings\n\n\n\n           \xef\xbf\xbd   United States Citizenship and Immigration Services\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 36\n\n\x0c                                                                                                                                   Appendix B\n                                                                   Department of Homeland Security\n                                                               Information Technology Management Letter\n                                                                          September 30, 2011\n\n\n\n2011 NFR #                             NFR Title                               FISCAM Control Area        Severity Rating   New Issue    Repeat Issue\nCIS-IT-11-01   Equipment and Media Policies and Procedures are not Current        Access Controls                2                           X\nCIS-IT-11-02   Weak Password Configuration Controls for CLAIMS 4                  Access Controls               2                               X\nCIS-IT-11-03   Policies and Procedures for CLAIMS 3 LAN and CLAIMS 4              Access Controls               2                               X\n               Audit Logs\nCIS-IT-11-04   Policies and Procedures for Separated CLAIMS 3 LAN                 Access Controls               2                               X\n               Accounts\nCIS-IT-11-05   Periodic User Access Reviews are not Performed for CLAIMS          Access Controls                                               X\n               3 LAN Users\nCIS-IT-11-06   Procedures for Transferred/Terminated Personnel Exit             Security Management             3                               X\n               Processing are not Finalized\nCIS-IT-11-07   Incomplete or Inadequate Access Request Forms for CLAIMS 3         Access Controls               2                               X\n               LAN and CLAIMS 4 System Users\nCIS-IT-11-08   ICE Resource Server and Inadequate Patch Management                Access Controls               3                               X\n               weaknesses impact USCIS Operations\nCIS-IT-11-09   Weak Password configuration controls for CLAIMS 3 LAN              Access Controls               2              X\nCIS-IT-11-10   Weak Logical Access Controls exist over CLAIMS 4                   Access Controls               2                               X\nCIS-IT-11-11   Ineffective Safeguards over Physical Access to Sensitive           Access Controls               2              X\n               Facilities and Resources\nCIS-IT-11-12   VPN Access Request Forms are not Properly Maintained               Access Controls               2              X\nCIS-IT-11-13   Lack of Segregation of Duties for CLAIMS 3 LAN                   Security Management             2                               X\nCIS-IT-11-14   ADEX Access Request Forms are not Properly Maintained              Access Controls               1                               X\nCIS-IT-11-15   Lack of Computer Security Awareness Training Compliance          Security Management             2                               X\nCIS-IT-11-16   Lack of Role-Based Training for Key Security Personnel           Security Management             2              X\nCIS-IT-11-17   FFMS Vulnerability Weaknesses Affect USCIS Operations              Access Controls               3                               X\n\n\n\n\n                 Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s Financial Statement Audit\n                                                                       Page 37\n\x0c                                                                               Appendix C\n                            Department of Homeland Security\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n\n\n\n                                    APPENDIX C\nStatus of Prior Year Notices of Findings and Recommendations and\n\n                          Comparison to\n\n Current Year Notices of Findings and Recommendations at DHS\n\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                               Financial Statement Audit\n\n                                        Page 38\n\n\x0c                                                                                              Appendix C\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n                  Current Year Notices of Findings and Recommendations\n\n                                                                                         Disposition\n   NFR #                                Description                                Closed         Repeat\n\n               Separated Personnel on Automated Commercial Environment\nCBP-IT-10-01                                                                         X\n               (ACE) User Listings\nCBP-IT-10-02   Segregation of Duties Control Weaknesses within ACE                                     X\nCBP-IT-10-03   ACE Audit Log Review Weaknesses                                                         X\nCBP-IT-10-05   Recertification Review of ACE User Accounts                           X\n               Security Awareness Issues Identified During Enhanced Security\nCBP-IT-10-06                                                                                           X\n               Testing\nCBP-IT-10-07   ACE User Access Form Documentation is Incomplete                                        X\n               Physical Security Issues Identified during Enhanced Security\nCBP-IT-10-08                                                                                           X\n               Testing\n               Contractor Separation procedures are not Updated and\nCBP-IT-10-09                                                                                           X\n               Contractor Separation forms are not Maintained\nCBP-IT-10-10   Employee Separations Weaknesses                                                         X\nCBP-IT-10-11   Contractor Non-Disclosure Agreement Weaknesses                                          X\nCBP-IT-10-12   Installation of Virus Protections on CBP Workstations                                   X\nCBP-IT-10-13   Inadequate Role-based Security Training Program                       X\nCBP-IT-10-14   Raised Floor Access Authorization Process Weakness                                      X\n               Automated Commercial System (ACS) User Access Profile\nCBP-IT-10-15                                                                                           X\n               Change Log Review Procedures Have Not Been Implemented\n               Security Weaknesses Identified during Technical Vulnerability\nCBP-IT-10-16                                                                                           X\n               Assessment\nCBP-IT-10-17   ACS Interconnection Security Agreements are Incomplete                                  X\nCBP-IT-10-18   ACS User Access Authorization Evidence Weakness                                         X\n               Lack of Recertification Authorization Evidence for Personnel with\nCBP-IT-10-19                                                                                           X\n               Access to Backup Media\n               ACS User Access Profile Change Log Review Procedures Have\nCBP-IT-10-20                                                                         X\n               Not Been Implemented\n               Unauthorized Access Attempt Setting for the Mainframe Have\nCBP-IT-10-21                                                                                           X\n               Not Been Configured\n               Background Investigations and Reinvestigations for CBP\nCBP-IT-10-22                                                                                           X\n               Employees and Contractors are not Completed\n               Lack of Monitoring of Developer Emergency/Temporary Access\nCBP-IT-10-23                                                                                           X\n               to ACS Production\n               Lack of Access Requests and Approval for National Data Center\nCBP-IT-10-24                                                                                           X\n               (NDC) Local Area Network (LAN) Accounts\n\n               Lack of Consistent Contractor, Civilian, and Military Account\nCG-IT-10-01                                                                                            X\n               Termination Process for Coast Guard Systems\nCG-IT-10-02    Contractor Background Investigations                                                    X\nCG-IT-10-03    Civilian Background Investigations                                                      X\n               Lack of Implemented Guidance Related to Financial Statement\nCG-IT-10-04                                                                          X\n               Impact Assessment within the Change Control Process\nCG-IT-10-05    Configuration Management Controls Over the Scripting Process                            X\nCG-IT-10-06    Security Awareness Issues Associated with the Social                                    X\n Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                Financial Statement Audit\n\n                                         Page 39\n\n\x0c                                                                                     Appendix C\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n               Engineering Testing\nCG-IT-10-07    JUMPS Authorized Users Tracking Weakness                          X\n               Coast Guard \xe2\x80\x93 Treasury Information Executive Reporting (TIER)\nCG-IT-10-08                                                                      X\n               System \xe2\x80\x93 Password Settings\n               Security Awareness Issues Associated with Physical Protection\nCG-IT-10-09                                                                              X\n               of Sensitive Information\n               Weaknesses with Specialized Role-based Training for\nCG-IT-10-10                                                                              X\n               Individuals with Significant Security Responsibilities\n               Coast Guard Treasury Information Executive Repository (CG\nCG-IT-10-11                                                                              X\n               TIER) Resource Owners\xe2\x80\x99 Identification of Authorized Users\nCG-IT-10-12    User Account Recertification - Direct Access Application                  X\n               Access and Configuration Management Controls \xe2\x80\x93 Vulnerability\nCG-IT-10-13                                                                      X\n               Assessment\n               Naval and Electronic Supply Support System (NESSS) Access\nCG-IT-10-14                                                                              X\n               Authorizations\n               Aviation Logistics Center (ALC) Data Center and Facility\nCG-IT-10-15                                                                      X\n               Controls\n               Aviation Maintenance Management Information System\nCG-IT-10-16                                                                      X\n               (AMMIS) Password Configuration\n               Security Awareness Issues associated with Social Engineering\nCG-IT-10-17                                                                              X\n               Testing \xe2\x80\x93 Follow-up Testing\nCG-IT-10-18    AMMIS Audit Log Review                                            X\n               Aviation Logistics Management Information System (ALMIS)\nCG-IT-10-19                                                                              X\n               User Recertification\nCG-IT-10-20    AMMIS Software Change Requests Process                                    X\nCG-IT-10-21    NESSS User Access Recertification                                         X\nCG-IT-10-22    Shore Asset Management (SAM) and NESSS Audit Log Review                   X\nCG-IT-10-23    Operations Systems Center (OSC) Data Center Access Reviews        X\n               Non-Compliance with Federal Financial Management\nCG-IT-10-24                                                                              X\n               Improvement Act (FFMIA) \xe2\x80\x93 Information Technology\nCG-IT-10-25    FINCEN Configuration Management Testing Approval Process          X\nCG-IT-10-26    ALC Information Technology Policies and Procedures                X\nCG-IT-10-27    NESSS Password Configuration                                      X\nCG-IT-10-28    Direct Access Audit Logging                                               X\n\n               Inefficient Definition and Documentation of Access roles at the\nCIS-IT-10-01                                                                             X\n               National Benefits Center for CLAIMS 3 LAN\n               Periodic User Access Reviews are not Performed for CLAIMS 3\nCIS-IT-10-02                                                                             X\n               LAN users\n               Incomplete or Inadequate Access Request Forms for CLAIMS 3\nCIS-IT-10-03                                                                             X\n               LAN and CLAIMS 4 System Users\n               Procedures for Transferred/Terminated Personnel Exit\nCIS-IT-10-04                                                                             X\n               Processing are not Finalized\nCIS-IT-10-05   Equipment and Media Policies and Procedures are not Current               X\nCIS-IT-10-06   FFMS Vulnerability Weaknesses Impact USCIS Operations                     X\nCIS-IT-10-07   Weak Password Configuration Controls for CLAIMS 4                         X\n               Ineffective Safeguards over Physical Access to Sensitive\nCIS-IT-10-08                                                                     X\n               Facilities and Resources\n               Lack of Policies and Procedures for CLAIMS 3 LAN and\nCIS-IT-10-09                                                                             X\n               CLAIMS 4 Audit Logs\n\n Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                Financial Statement Audit\n\n                                         Page 40\n\n\x0c                                                                                      Appendix C\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2011\n\n CIS-IT-10-10   Weak Logical Access Controls Exist over CLAIMS 4                          X\n                Lack of Policies and Procedures for Separated CLAIMS 3 LAN\n CIS-IT-10-11                                                                             X\n                Accounts\n CIS-IT-10-12   IT Security Awareness Training Compliance is not Monitored                X\n CIS-IT-10-13   ADEX Access Request Forms are not Properly Maintained.                    X\n                Default Installation and Configuration of Cisco routers on ICE\n CIS-IT-10-14                                                                             X\n                Network Impact USCIS Operations\n\n                Network Logical Access Parameters are not Configured in\nCONS-IT-10-01                                                                             X\n                Accordance with DHS policy\n\n                Recertification of National Emergency Management Information\nFEMA-IT-10-01   System (NEMIS) Access Control System Position Assignments                 X\n                is Incomplete\nFEMA-IT-10-02   Alternate Processing Site for NEMIS Has Not Been Established              X\n                End-User Workstation Screensaver Configuration is Not\nFEMA-IT-10-03                                                                     X\n                Sufficient\n                Operating System Audit Logging on Servers Supporting\nFEMA-IT-10-04   Financial Applications within the Previous NEMIS Accreditation            X\n                Boundary is Not Adequate\n                Payment and Reporting System (PARS) Database Security\nFEMA-IT-10-05                                                                             X\n                Controls Are Not Appropriately Established\n                Oracle Databases Supporting Financial Applications within the\nFEMA-IT-10-06   Previous NEMIS Accreditation Boundary are Not Configured to               X\n                Enforce Password Requirements\n                 Integrated Financial Management Information System (IFMIS)\xc2\xad\nFEMA-IT-10-07   Merged Oracle Database is Not Configured to Prevent the Reuse     X\n                of Passwords\n                Oracle Databases Supporting Financial Applications within the\nFEMA-IT-10-08   Previous NEMIS Accreditation Boundary Do Not Adequately                   X\n                Enforce Account Lockout Requirements\n                Audit Logging on Databases Supporting Financial Applications\nFEMA-IT-10-09   within the Previous NEMIS Accreditation Boundary is Not                   X\n                Adequate\nFEMA-IT-10-10   Inadequate FEMA Contractor Tracking Program                       X\n                Weaknesses Exist over IFMIS-Merger Application and Database\nFEMA-IT-10-11                                                                             X\n                Audit Logging\n                Grants & Training (G&T) IFMIS Access Authorizations Were\nFEMA-IT-10-12                                                                     X\n                Not Consistently Documented\nFEMA-IT-10-13   G&T IFMIS Oracle Database Auditing Was Not Sufficient             X\n                Weaknesses Exist over Recertification of Access to the IFMIS-\nFEMA-IT-10-14                                                                             X\n                Merger Application\n                Recertification of G&T IFMIS Application and Database Access\nFEMA-IT-10-15                                                                     X\n                Recertification Was Not Performed\nFEMA-IT-10-16   G&T IFMIS Was Not Certified and Accredited                        X\n                Formalized Training Requirements for Individuals with\n                Significant Information Security Responsibilities Have Not Been\nFEMA-IT-10-17                                                                             X\n                Fully Implemented and Role-Based Training is Not Tracked or\n                Monitored\nFEMA-IT-10-18   Weaknesses Exist over the Authorization to Operate (ATO) and              X\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                  Financial Statement Audit\n\n                                           Page 41\n\n\x0c                                                                                      Appendix C\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2011\n\n                Certification & Accreditation (C&A) Documentation for NEMIS\n                Lack of Adequate Configuration Management over Network\nFEMA-IT-10-19                                                                             X\n                Devices Supporting Financial Systems\n                NEMIS Contingency Plan Does Not Comprehensively Address\nFEMA-IT-10-20   the Requirements of DHS Policy and Has Not Been Adequately                X\n                Tested\n                Employee Termination Process for Removing System Access\nFEMA-IT-10-21                                                                             X\n                Should Be More Proactive\n                Weaknesses Exist over Management and Technical Controls\nFEMA-IT-10-22                                                                             X\n                Associated with FEMA Local Area Network (LAN) Accounts\n                Weaknesses Existed over the Configuration Patch Management\nFEMA-IT-10-23   Process for the National Flood Insurance Program (NFIP) LAN               X\n                Supporting Traverse\n                Risk Assessment Activities over NFIP IT Systems were Not\nFEMA-IT-10-24                                                                             X\n                Adequately Performed\n                Individual User Virtual Private Network (VPN) Access Accounts\nFEMA-IT-10-25                                                                             X\n                are Not Appropriately Authorized or Recertified\n                IFMIS-Merger User Access was Not Managed in Accordance\nFEMA-IT-10-26                                                                             X\n                with Account Management Procedures\n                G&T IFMIS Oracle Database Security Controls Were Not\nFEMA-IT-10-27                                                                     X\n                Configured Properly\n                Weaknesses Exist in the C&A Package for the FEMA Switched\nFEMA-IT-10-28                                                                             X\n                Network (FSN)-2, which Includes the FEMA LAN\nFEMA-IT-10-29   The PARS Has Not Been Certified and Accredited                    X\n                Emergency and Temporary Access to IFMIS-Merger is Not\nFEMA-IT-10-30                                                                             X\n                Properly Authorized\nFEMA-IT-10-31   Weaknesses Exist in FEMA\xe2\x80\x99s Incident Response Capability           X\nFEMA-IT-10-32   G&T IFMIS and IFMIS-Merger Patch Management Weaknesses            X\n                Weaknesses Exist over Vulnerability Management for Servers\nFEMA-IT-10-33   Supporting Financial Applications within the Previous NEMIS               X\n                Accreditation Boundary\n                Weaknesses Exist over Vulnerability Management for G&T\nFEMA-IT-10-34                                                                     X\n                IFMIS and IFMIS-Merger\nFEMA-IT-10-35   Weaknesses Exist over NEMIS Patch Management Guidance             X\n                Weaknesses Exist over the Configuration and Testing of\nFEMA-IT-10-36   Backups for Servers Supporting Financial Applications Within              X\n                the Previous NEMIS Accreditation Boundary\n                Security Awareness Issues Associated with Social Engineering\nFEMA-IT-10-37                                                                     X\n                Testing at FEMA\n                Physical Security and Security Awareness Issues Associated with\nFEMA-IT-10-38                                                                             X\n                Enhanced Security Testing at FEMA\n                Monitoring of Configuration Changes Deployed to the IFMIS-\nFEMA-IT-10-39                                                                             X\n                Merger Production Environment are Inadequate\n                System Programmers Had the Ability to Migrate Code into the\nFEMA-IT-10-40                                                                     X\n                G&T IFMIS Production Environment\n                Password, Patch, and Configuration Management Weaknesses\nFEMA-IT-10-41   Were Identified during the Vulnerability Assessment on IFMIS,     X\n                NEMIS, and Key Support Servers\nFEMA-IT-10-42   Weaknesses Exist over C&A Documentation for IFMIS-Merger                  X\nFEMA-IT-10-43   Weaknesses Exist over the ATO and C&A Documentation for                   X\n\n  Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                 Financial Statement Audit\n\n                                          Page 42\n\n\x0c                                                                                      Appendix C\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2011\n\n                 NEMIS\n                 IFMIS-Merger System Software Administrator Activity Is Not\nFEMA-IT-10-44                                                                             X\n                 Appropriately Restricted or Monitored\n                 Weaknesses Exist over Background Investigations for Federal\nFEMA-IT-10-45                                                                             X\n                 Employees and Contractors\n                 Key Controls over Production Servers Supporting Applications\nFEMA-IT-10-46    Within the Former NEMIS Accreditation Boundary Have Not                  X\n                 Been Implemented\n                 FEMA Management Needs to Improve Planning, Management,\nFEMA-IT-10-47    and Communication Related to Financial Systems Development       X\n                 and Acquisition Projects\n                 Weaknesses in the Management of Plans of Action & Milestones\nFEMA-IT-10-48                                                                             X\n                 (POA&Ms) for Audit Findings over FEMA Financial Systems\n                 Documentation Supporting IFMIS-Merger User Functions Does\nFEMA-IT-10-49                                                                             X\n                 Not Exist\n                 External Connections to the FEMA VPN Are Not Appropriately\nFEMA-IT-10-50                                                                             X\n                 Authorized or Documented\n                 NEMIS Access Restrictions to Program Directories within the\nFEMA-IT-10-51                                                                     X\n                 Test and Development Laboratory (TDL) Needs Improvement\n                 Vulnerability Assessment Program for the NFIP LAN\nFEMA-IT-10-52                                                                             X\n                 Supporting Traverse was Inadequate\n                 Transaction Record Reporting and Processing (TRRP)\nFEMA-IT-10-53                                                                     X\n                 Mainframe Access Accounts Are Not Periodically Reviewed\n                 Inadequate Implementation of DHS Systems Engineering Life\nFEMA-IT-10-54                                                                     X\n                 Cycle (SELC) Requirements for the IFMIS-Merger Project\n                 NFIP LAN Audit Logging is Not Performed in Accordance with\nFEMA-IT-10-55                                                                             X\n                 DHS and FEMA Requirements\nFEMA-IT-10-56    Weaknesses Exist over TRRP Mainframe Audit Logs                          X\n                 Lack of Formal Processes for Managing Remote Access to the\nFEMA-IT-10-57                                                                     X\n                 LAN Supporting the TRRP Mainframe\nFEMA-IT-10-58    Traverse Configuration Management Plan Weaknesses                        X\nFEMA-IT-10-59    TRRP Configuration Management Plan Weaknesses                            X\n                 Weaknesses Exist over the Implementation of Traverse System\nFEMA-IT-10-60                                                                     X\n                 Changes\n                 Weaknesses Existed over Contingency Planning, Testing and\nFEMA-IT-10-61    Development of the Continuity of Operations Plan (COOP) for              X\n                 TRRP and Traverse\n                 Weaknesses Exist over Configuration Management Processes for\nFEMA-IT-10-62    Financial Applications within the previous NEMIS Accreditation           X\n                 Boundary\n                 Weaknesses Exist over IFMIS-Merger Configuration\nFEMA-IT-10-63                                                                             X\n                 Management Processes\n\n                 A Configuration Management Plan has not been fully\nFLETC-IT-10-01                                                                    X\n                 implemented\n                 Ineffective Logical Access Controls over the Glynco\nFLETC-IT-10-02                                                                    X\n                 Administrative Network (GAN)\n                 Physical Security and Security Awareness Issues Identified\nFLETC-IT-10-03                                                                    X\n                 during Enhanced Security Testing\nFLETC-IT-10-04   GAN audit logs are not reviewed                                  X\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                  Financial Statement Audit\n\n                                           Page 43\n\n\x0c                                                                                      Appendix C\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2011\n\nFLETC-IT-10-05   Weak Access Controls around Momentum                             X\n                 Ineffective Logical Access Controls over Student Information\nFLETC-IT-10-06                                                                            X\n                 System (SIS)\n\n                 Procedures for Transferred/Terminated Personnel Exit\n ICE-IT-10-01                                                                             X\n                 Processing are not Followed\n ICE-IT-10-02    Ineffective Password Settings in FFMS                            X\n                 Formal Policy for FFMS Access Recertification is not\n ICE-IT-10-03                                                                     X\n                 Documented and Approved\n ICE-IT-10-04    Weak FFMS Segregation of Duties                                          X\n                 Audit Log Policies and Procedures are not Documented for\n ICE-IT-10-05                                                                     X\n                 FFMS\n                 Terminated/Transferred Personnel are not Removed from ADEX\n ICE-IT-10-06                                                                             X\n                 in a Timely Manner\n ICE-IT-10-07    Weak Environmental Controls at the OCS Datacenter                X\n ICE-IT-10-08    Weak Environmental Controls at the PCN Computer Room             X\n ICE-IT-10-09    Security Awareness Issues Identified during Social Engineering           X\n                 Security Awareness Issues Identified during After-Hours\n ICE-IT-10-10                                                                             X\n                 Walkthrough\n ICE-IT-10-11    Training for IT security Personnel is not Mandatory.             X\n ICE-IT-10-12    Physical Safeguard Weaknesses exist at DHS DC2 Datacenter        X\n                 FFMS Network and Servers were Installed with Default\n ICE-IT-10-13                                                                             X\n                 Configuration Settings and Protocols\n                 FFMS Mainframe Production Databases were Installed and\n ICE-IT-10-14                                                                             X\n                 Configured without Baseline Security Configurations.\n ICE-IT-10-15    FFMS Servers have Inadequate Patch Management                            X\n                 Default Installation and Configuration of Cisco Routers on ICE\n ICE-IT-10-16                                                                             X\n                 Network\n\n                 DHS has not Fully Implemented the Federal Desktop Core\n OCIO-IT-10-01   Configuration (FDCC) Security Configurations Requirements                X\n\n                 DHS Policies and Procedures Need Clarity                         X\n OCIO-IT-10-02\n\n                 Physical Security and Security Awareness Issues Identified\n TSA-IT-10-01                                                                             X\n                 during Enhanced Security Testing\n                 Core Accounting System (CAS), Financial Procurement Desktop\n TSA-IT-10-02                                                                             X\n                 (FPD), and Sunflower Access Recertifications\n TSA-IT-10-03    TSA Computer Access Agreement Process                                    X\n                 Configuration Management Controls Over the Coast Guard\n TSA-IT-10-04                                                                             X\n                 Scripting Process\n\n\n\n\n   Information Technology Management Letter for the FY 2011 Department of Homeland Security\xe2\x80\x99s \n\n                                  Financial Statement Audit\n\n                                           Page 44\n\n\x0c                                                                         Appendix D\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2011\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 General Counsel\n                 Chief of Staff\n                 Deputy Chief of Staff\n                 Executive Secretariat\n                 Assistant Secretary for Office of Policy\n                 Assistant Secretary for Office of Public Affairs\n                 Assistant Secretary for Office of Legislative Affairs\n                 Under Secretary, Management\n                 Chief Information Officer\n                 Chief Financial Officer\n                 Chief Information Security Officer\n                 Assistant Secretary, Policy\n                 DHS GAO OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees, as\n                 appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2011 Department of Homeland \n\n                       Security\xe2\x80\x99s Financial Statement Audit\n\n                                      Page 45\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'